MA Privacy Law Deadline Looms
All Companies Regardless Of Size Need A Compliance Plan
By 1-1-10 every Massachusetts employer (and any out-of-state company that handles certain MA citizens’ records) will have to have a security plan and be acting on it.
The law is Chapter 93H of the Mass General Laws, “Security Breaches.” It lays out the principle behind the law, adds compliance regulations and specifies penalties for non-compliance.
The provisions apply to “all persons that own, license, store or maintain personal information about a resident of Massachusetts.” “Personal information” is defined as first and last name or first initial and last name in combination with social security number, driver’s license number or financial account number.
The law requires every subject company or person to develop, implement, maintain and monitor a “comprehensive written information security program.” The regulations contain twelve sub-categories with requirements in the following areas:
- Administrative
- Technical
- Physical
The technical safeguards specify certain computer security protocols including authentication, authorization, encryption, firewall and patches, virus protection and access blocking.
The plan must be in place by January 1, 2010.
Licata Risk Advisors can provide a turn-key solution to the compliance effort for you, including the computer security piece (in conjunction with a computer security firm with whom we have a working relationship and are enlisting for this project). If you have an IT department that can handle that aspect, we will work with you to develop the compliance program in conjunction with your IT department.
May 06, 2009